How to Create Strong Passwords (and Why Length Beats Complexity)

The advice most people remember about passwords is roughly twenty years out of date. The familiar rule, "at least eight characters, upper and lower case, a number and a symbol", dates from a 2003 NIST publication whose author later said publicly that he wished he could take it back. The current guidance from NIST (SP 800-63B, revised in the most recent updates) inverts much of the old wisdom: length is what matters, forced complexity rules quietly make things worse, and rotating passwords on a fixed schedule is now actively discouraged. This guide explains why, and what to do instead.

Entropy, in two paragraphs

The strength of a password is measured in bits of entropy, which is just the base-2 logarithm of the number of possible passwords an attacker would have to try. A password drawn uniformly at random from an alphabet of size N with length L hasL × log₂(N) bits of entropy. Lower-case letters give you about 4.7 bits per character, the full ASCII printable set gives about 6.6, and a list of common English words with around 8,000 entries gives roughly 13 bits per word.

The headline number to keep in mind is that anything below about 60 bits of entropy is breakable by a determined attacker with modern hardware, anything above about 80 bits is comfortably safe for the foreseeable future, and the distance between those two is only a handful of extra characters. That is the whole reason length matters more than character variety: each additional character adds entropy multiplicatively, while squeezing in one more symbol class adds it only once.

Why P@ssw0rd! is weak

On paper, P@ssw0rd! ticks every box on the old checklist: nine characters, mixed case, a digit, a symbol. In practice it is among the first hundred guesses any password-cracking tool will attempt. The reason is that attackers do not try every possible nine-character string in order; they run dictionaries of common passwords and apply transformation rules on top.

Those rules know all the obvious substitutions: a to @, o to 0, i to 1, s to $, capitalising the first letter, appending a digit and a symbol at the end. Any password built by starting with a real word and applying that family of tricks has, at best, the entropy of the original word plus a few bits for which substitutions you chose. The bits added by complexity are almost entirely cancelled out by the predictability of how humans add them.

The same logic damns Summer2024!, Welcome1, the company name with a year on the end, and your child's name with a birthday. They satisfy the policy. They do not satisfy an attacker.

Why correct horse battery staple is strong

A passphrase is a sequence of words chosen at random from a list. The canonical example, popularised by an xkcd comic, is correct horse battery staple: four common words, memorable, and worth around 44 bits of entropy if drawn from a dictionary of about 2,000 words. Stretch that to six or seven words from a larger list (the EFF's long wordlist of 7,776 entries is the standard) and you are in the 75 to 90-bit range, which is stronger than any human-generated mixed-case-with-symbols password of comparable length.

The catches are small but real. The words must actually be chosen at random — picking four words yourself reintroduces all the bias that makes human passwords weak. Use dice, or use a generator. And the passphrase needs to be long enough; three words is not enough, no matter how unusual they are.

Use a password manager and stop trying to remember

The single most important shift in personal security over the last decade has been the normalisation of password managers. The argument for using one is straightforward: humans cannot generate or remember unique high-entropy passwords for the hundred-plus accounts a typical person now holds, and reusing passwords across sites is the single biggest cause of account compromise.

A password manager solves both problems. You remember one strong master passphrase. The manager remembers everything else, generates long random passwords on demand, fills them in for you, and warns you when you try to reuse one. The browser and operating-system managers built into recent versions of the major platforms are now genuinely good — they sync across devices, support passkeys, check for known breaches, and require no separate subscription. A standalone manager gives you more portability and finer-grained control, but the bar for "not using a manager at all" should be vanishingly high.

When you generate a password with the Password Generator, the right approach is the one that feels slightly wrong at first: do not try to pick a password you can remember. Generate something long and random, paste it straight into your manager, and never look at it again. The whole point of having a manager is that you never need to type the password yourself.

How passwords are actually stored (and why it matters)

Servers should never store your password directly. They store a hash of it: a one-way mathematical fingerprint that lets the server check whether a submitted password matches without ever keeping the original. Modern systems use a slow, salted hash function designed for this purpose, such as Argon2, scrypt, or bcrypt. The Hash Generator shows what these fingerprints look like for common algorithms; you will notice that two nearly identical inputs produce wildly different outputs, which is the property that makes hashes useful.

This is also why a leak of "hashed passwords" is not the same as a leak of plaintext passwords, but it is still bad. With a copy of the hashes, an attacker can run offline guessing on their own hardware, at billions of attempts per second, with no rate limit. Short or predictable passwords fall in seconds. Long random ones stay safe for centuries. The choice of how long your password is becomes, in effect, a bet on how long your hash sits in someone else's breach archive.

Two-factor authentication and passkeys

A second factor turns a stolen password from a full account compromise into a near miss. The hierarchy, from worst to best, is roughly:

1. SMS codes. Better than nothing, but vulnerable to SIM-swap attacks. Acceptable for low-value accounts where nothing else is offered.
2. Authenticator app codes (TOTP). The six-digit rotating codes from apps like the ones built into your password manager or phone. Solid, widely supported, and not phishable in the same way SMS is.
3. Hardware security keys and passkeys. Cryptographic credentials bound to your device, immune to phishing because the key only releases its signature to the real domain. Passkeys in particular are now supported by every major platform and let you skip passwords entirely on supported sites.

Turn on the strongest factor each account offers, especially for email, banking, and your password manager itself. If your email is compromised, every other account you own is one password reset away from being compromised too.

The traps

A handful of habits do more damage than weak passwords on their own. They are worth naming explicitly.

• Reuse. Using the same password on two sites means a breach at the worse-secured one is also a breach at the better-secured one. Credential stuffing — taking leaked username-password pairs and trying them on every other major site — is the single most successful attack on consumer accounts. A manager makes reuse unnecessary.
• Security questions.Your mother's maiden name, your first pet, the street you grew up on: these are public records or easy social-media inferences. Treat security-question fields as additional password fields and put random strings into them, stored in your manager.
• Forced rotation every 90 days. Discredited. Current NIST guidance is that passwords should be changed only when there is reason to believe they have been compromised. Forced periodic changes lead users to pick weaker, more patterned passwords (Spring2024! becomes Summer2024!) and to write them down in worse places. If your employer still mandates 90-day rotation, push back, or at minimum let your manager generate the next one.
• Composition rules that ban paste. Sites that disable pasting into the password field are actively hostile to password managers, and the people who write those rules have confused themselves about what the threat is. If a site does this, file a complaint and use a long passphrase you can type.
• UUIDs as passwords. A UUID from the UUID Generator looks impressively random and has plenty of entropy, but it is not a substitute for a password. UUIDs are designed to be unique identifiers, often logged in plaintext, and version 1 UUIDs in particular leak a timestamp and MAC address. Use the password generator for passwords.

Check whether you have already been breached

The free service Have I Been Pwned keeps a searchable index of email addresses and passwords that have appeared in publicly disclosed breaches. Searching your email tells you which of your accounts have been involved in known leaks, and the password search lets you check (using a clever partial-hash protocol that does not send your password to the server) whether a candidate password has ever appeared in a breach corpus. Most password managers now integrate the same data and warn you proactively. If a password of yours shows up there, change it everywhere it is used, and stop using it.

A short, practical recipe

1. Pick or install a password manager. The one built into your browser or operating system is fine to start with.
2. Choose a strong master passphrase: six or seven random words from a wordlist, or a long random string you commit to memory through repetition. This is the only password you should ever try to remember.
3. For every account, generate a password with the Password Generatoror your manager's built-in generator. Twenty characters of mixed types is a sensible default; longer for anything important. Do not customise the output to make it memorable.
4. Turn on two-factor authentication everywhere it is offered, and prefer passkeys or an authenticator app over SMS.
5. Run your existing accounts through a breach check, and replace anything compromised or reused.
6. Stop changing passwords on a schedule. Change them when something happens, not when the calendar says so.

The good news is that this is a one-evening project, not a lifestyle. Once the manager is set up and the master passphrase is in your head, the day-to-day overhead is essentially zero, and the threat model you used to live with quietly becomes someone else's problem.